Kerio has thrown everything into its WinRoute 6.5 software firewall, including high-end features normally found only in more expensive mid-market appliances.

The Kerio WinRoute software firewall has been the company's bread and butter since the late nineties. Over the years, the product has evolved into a full-fledged unified threat management (UTM) solution, supporting all seven OSI layers. Competing products with the same features are generally sold as appliances. WinRoute 6.5, released on September 9, is unusual because it's software-based but packs many capabilities normally available only with high-end appliances. At $399 direct for ten users, this versatile, easily configured program will appeal to businesses and even home users with a number of systems to protect.

Similar Products

The firewall's user-access and traffic policies, which manage port blocking, are simple to configure but offer powerful, granular control that lets administrators do fine-tuning to meet stringent network restrictions. The policy module focuses on control of the networking elements related to the end user, such as HTML objects and bandwidth, but you can also create policies for ports. The protocol inspector examines HTTP, FTP, POP3, SMTP, and other common protocols. The feature looks at the packets that pass through the firewall, making real-time determinations about permitting HTTP requests and checking the content, such as URLs and other metadata, for violations of content-filtering rules. RADIUS and LDAP sign-on services, as well as data access ports and a variety of protocols and services such as peer-to-peer (P2P), are turned off by default.

WinRoute includes IBM's decent Proventia content-filtering engine and the highly flexible OrangeWeb Filter module (from ISS), which enables the firewall to accept or block URLs based on content. ISS screens out URLs based on predefined categories. For an extra $100, you can get McAfee's reasonably good antivirus engine, but you're also free to use AVG, Clam AntiVirus, Symantec's Scan Engine, or other AV utilities the firewall supports.

I found the software extremely easy to understand and navigate, in part because most features are readily accessible, not buried deep inside menus. In testing some UTM appliances such as Astaro's Security Gateway 110 and Untangle Professional, I've had to comb through several nonintuitive panes to create policies, and to adjust network-bandwidth settings I've had to delve deep inside QoS features. With WinRoute, the barriers to learning are far smaller.

The firewall's seven-step configuration wizard covers nearly all the security bases. In step 4, for instance, you can turn on HTTP, FTP, SMTP, and any other protocols you're allowing to access the Web or are accepting from the outside world. The wizard walks you through the process of creating rules in its policy engine and helps you deselect its default services, such as IMAP and Telnet, and even VPN client access rules. WinRoute also comes with server software for DHCP and a clientless SSL VPN, so you can turn any spare Windows PC into a router and a network-gateway appliance.

With the built-in content filter, adding new words or new sites to block is simple. The feature doesn't perform heuristics on words or phrasesproducts like ContentWatch's ContentProtect are more sophisticated in their word analysis. Nonetheless, WinRoute's content filter works admirably. A simple logging feature tracks every site, external access requests from unknown sources, errors reaching sites, and VPN clients. The information helps admins keep an eye on the sites employees visit. In general, Kerio has improved the software's reporting capability considerably since the last time we reviewed WinRoute. And when you need to adjust policies after initial configuration, the process is easy. If, for example, you want to add a port rule, you can do so in seconds using the traffic policy module.

WinRoute places a great deal of emphasis on bandwidth management. The limiter can meter network traffic on each network connection and even the bandwidth allowed to individual users. A useful quota option lets you, for example, restrict your employees' download speed but still let them access P2P sites. I recommend taking advantage of the feature, especially if you do a lot of business over the Web. The last thing you want is for your sales staff, IP PBX VoIP phone system, or e-commerce server to lose Web access.

Version 6.5 includes a traffic load-balancing feature (called Link-Load Balancing), which you can turn on during the software's wizard install. In effect, the feature combines two or more Internet lines into one. So, for example, if you have 2-megabit-per-second and 1.5-Mbps downlinks, your network will see a single pipe of 3.5 Mbps. WinRoute distributes your network traffic among the different lines in a way that attempts to maximize throughput. The load balancer also provides a form of voice-traffic QoS. You can route streaming content, such as VoIP, to one line and leave the other lines for Web use. This capability provides a hassle-free way to segment your network traffic.

Load balancing requires separate physical network connections coming in from your ISP, each of which must plug into its own network card on the same PC. And, of course, WinRoute needs to see the active network adapters to manage the bandwidth properly, so don't forget to check for disabled adapters after plugging in your network cable. I tested load balancing with one network connection and was easily able to limit my network's bandwidth use by right-clicking on the network connection and configuring the link-balancing option.

I also discovered I could add a VPN tunnel right at the network adapterquite handy, because you don't have to mess around with the VPN server. If, however, you need to manage a VPN server, you'll be happy to find that WinRoute automates the setup. Even if you need to do something exotic like divert VPN clients into separate ports, the server capability won't disappoint. As a bonus, administrators can even install the VPN agents on corporate notebooks without disturbing end users too much. The SSL VPN WinRoute employs is the simplest method of creating a secured connection into a network, and it's my favorite, too.

Because Kerio WinRoute 6.5 can run on any Windows desktop or server, it can scale better than competing firewall appliances. As your business grows, you simply have to bump up the power of the hardware and the number of network lines. My biggest problem with the product is the lack of context-sensitive help. If you need immediate assistance while attempting to use a feature, your only option is searching through a large help file. But that's a relatively minor complaint when measured against the ease of use, scalability, and reasonable cost of Kerio WinRoute 6.5.

Read More

About the Author

Mario Morejon is PCMag’s Lead Analyst for Networking and Small Business. In addition to maintaining the network infrastructure at PCMag Labs, Mario tests all sorts of software and hardware tools that help small business get bigger.

Kerio WinRoute Firewall 6.5

Kerio WinRoute Firewall 6.5

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.